diff options
| -rw-r--r-- | src/cryptography/x509/__init__.py | 7 | ||||
| -rw-r--r-- | src/cryptography/x509/base.py | 129 | ||||
| -rw-r--r-- | src/cryptography/x509/extensions.py | 144 | ||||
| -rw-r--r-- | tests/test_x509.py | 60 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 130 |
5 files changed, 245 insertions, 225 deletions
diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 3e6420e7..389d737b 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -5,7 +5,7 @@ from __future__ import absolute_import, division, print_function from cryptography.x509.base import ( - AccessDescription, AuthorityInformationAccess, AuthorityKeyIdentifier, + AccessDescription, AuthorityInformationAccess, BasicConstraints, CRLDistributionPoints, Certificate, CertificateBuilder, CertificatePolicies, CertificateRevocationList, CertificateSigningRequest, CertificateSigningRequestBuilder, DistributionPoint, @@ -14,10 +14,13 @@ from cryptography.x509.base import ( InvalidVersion, IssuerAlternativeName, KeyUsage, NameConstraints, NoticeReference, OCSPNoCheck, ObjectIdentifier, PolicyInformation, ReasonFlags, - RevokedCertificate, SubjectAlternativeName, SubjectKeyIdentifier, + RevokedCertificate, SubjectAlternativeName, UnsupportedExtension, UserNotice, Version, load_der_x509_certificate, load_der_x509_csr, load_pem_x509_certificate, load_pem_x509_csr, ) +from cryptography.x509.extensions import ( + AuthorityKeyIdentifier, SubjectKeyIdentifier +) from cryptography.x509.general_name import ( DNSName, DirectoryName, GeneralName, IPAddress, OtherName, RFC822Name, RegisteredID, UniformResourceIdentifier, UnsupportedGeneralNameType, diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 4f0d11ef..b906c7a8 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -6,17 +6,12 @@ from __future__ import absolute_import, division, print_function import abc import datetime -import hashlib import ipaddress from enum import Enum -from pyasn1.codec.der import decoder -from pyasn1.type import namedtype, univ - import six from cryptography import utils -from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa from cryptography.x509.general_name import GeneralName, IPAddress, OtherName from cryptography.x509.name import Name @@ -25,34 +20,6 @@ from cryptography.x509.oid import ( ) -class _SubjectPublicKeyInfo(univ.Sequence): - componentType = namedtype.NamedTypes( - namedtype.NamedType('algorithm', univ.Sequence()), - namedtype.NamedType('subjectPublicKey', univ.BitString()) - ) - - -def _key_identifier_from_public_key(public_key): - # This is a very slow way to do this. - serialized = public_key.public_bytes( - serialization.Encoding.DER, - serialization.PublicFormat.SubjectPublicKeyInfo - ) - spki, remaining = decoder.decode( - serialized, asn1Spec=_SubjectPublicKeyInfo() - ) - assert not remaining - # the univ.BitString object is a tuple of bits. We need bytes and - # pyasn1 really doesn't want to give them to us. To get it we'll - # build an integer and convert that to bytes. - bits = 0 - for bit in spki.getComponentByName("subjectPublicKey"): - bits = bits << 1 | bit - - data = utils.int_to_bytes(bits) - return hashlib.sha1(data).digest() - - _UNIX_EPOCH = datetime.datetime(1970, 1, 1) @@ -534,34 +501,6 @@ class NoticeReference(object): @utils.register_interface(ExtensionType) -class SubjectKeyIdentifier(object): - oid = ExtensionOID.SUBJECT_KEY_IDENTIFIER - - def __init__(self, digest): - self._digest = digest - - @classmethod - def from_public_key(cls, public_key): - return cls(_key_identifier_from_public_key(public_key)) - - digest = utils.read_only_property("_digest") - - def __repr__(self): - return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest) - - def __eq__(self, other): - if not isinstance(other, SubjectKeyIdentifier): - return NotImplemented - - return ( - self.digest == other.digest - ) - - def __ne__(self, other): - return not self == other - - -@utils.register_interface(ExtensionType) class NameConstraints(object): oid = ExtensionOID.NAME_CONSTRAINTS @@ -876,74 +815,6 @@ class IssuerAlternativeName(object): return not self == other -@utils.register_interface(ExtensionType) -class AuthorityKeyIdentifier(object): - oid = ExtensionOID.AUTHORITY_KEY_IDENTIFIER - - def __init__(self, key_identifier, authority_cert_issuer, - authority_cert_serial_number): - if authority_cert_issuer or authority_cert_serial_number: - if not authority_cert_issuer or not authority_cert_serial_number: - raise ValueError( - "authority_cert_issuer and authority_cert_serial_number " - "must both be present or both None" - ) - - if not all( - isinstance(x, GeneralName) for x in authority_cert_issuer - ): - raise TypeError( - "authority_cert_issuer must be a list of GeneralName " - "objects" - ) - - if not isinstance(authority_cert_serial_number, six.integer_types): - raise TypeError( - "authority_cert_serial_number must be an integer" - ) - - self._key_identifier = key_identifier - self._authority_cert_issuer = authority_cert_issuer - self._authority_cert_serial_number = authority_cert_serial_number - - @classmethod - def from_issuer_public_key(cls, public_key): - digest = _key_identifier_from_public_key(public_key) - return cls( - key_identifier=digest, - authority_cert_issuer=None, - authority_cert_serial_number=None - ) - - def __repr__(self): - return ( - "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, " - "authority_cert_issuer={0.authority_cert_issuer}, " - "authority_cert_serial_number={0.authority_cert_serial_number}" - ")>".format(self) - ) - - def __eq__(self, other): - if not isinstance(other, AuthorityKeyIdentifier): - return NotImplemented - - return ( - self.key_identifier == other.key_identifier and - self.authority_cert_issuer == other.authority_cert_issuer and - self.authority_cert_serial_number == - other.authority_cert_serial_number - ) - - def __ne__(self, other): - return not self == other - - key_identifier = utils.read_only_property("_key_identifier") - authority_cert_issuer = utils.read_only_property("_authority_cert_issuer") - authority_cert_serial_number = utils.read_only_property( - "_authority_cert_serial_number" - ) - - @six.add_metaclass(abc.ABCMeta) class Certificate(object): @abc.abstractmethod diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py new file mode 100644 index 00000000..38175531 --- /dev/null +++ b/src/cryptography/x509/extensions.py @@ -0,0 +1,144 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import hashlib + +from pyasn1.codec.der import decoder +from pyasn1.type import namedtype, univ + +import six + +from cryptography import utils +from cryptography.hazmat.primitives import serialization +from cryptography.x509.base import ExtensionType +from cryptography.x509.general_name import GeneralName +from cryptography.x509.oid import ( + ExtensionOID +) + + +class _SubjectPublicKeyInfo(univ.Sequence): + componentType = namedtype.NamedTypes( + namedtype.NamedType('algorithm', univ.Sequence()), + namedtype.NamedType('subjectPublicKey', univ.BitString()) + ) + + +def _key_identifier_from_public_key(public_key): + # This is a very slow way to do this. + serialized = public_key.public_bytes( + serialization.Encoding.DER, + serialization.PublicFormat.SubjectPublicKeyInfo + ) + spki, remaining = decoder.decode( + serialized, asn1Spec=_SubjectPublicKeyInfo() + ) + assert not remaining + # the univ.BitString object is a tuple of bits. We need bytes and + # pyasn1 really doesn't want to give them to us. To get it we'll + # build an integer and convert that to bytes. + bits = 0 + for bit in spki.getComponentByName("subjectPublicKey"): + bits = bits << 1 | bit + + data = utils.int_to_bytes(bits) + return hashlib.sha1(data).digest() + + +@utils.register_interface(ExtensionType) +class AuthorityKeyIdentifier(object): + oid = ExtensionOID.AUTHORITY_KEY_IDENTIFIER + + def __init__(self, key_identifier, authority_cert_issuer, + authority_cert_serial_number): + if authority_cert_issuer or authority_cert_serial_number: + if not authority_cert_issuer or not authority_cert_serial_number: + raise ValueError( + "authority_cert_issuer and authority_cert_serial_number " + "must both be present or both None" + ) + + if not all( + isinstance(x, GeneralName) for x in authority_cert_issuer + ): + raise TypeError( + "authority_cert_issuer must be a list of GeneralName " + "objects" + ) + + if not isinstance(authority_cert_serial_number, six.integer_types): + raise TypeError( + "authority_cert_serial_number must be an integer" + ) + + self._key_identifier = key_identifier + self._authority_cert_issuer = authority_cert_issuer + self._authority_cert_serial_number = authority_cert_serial_number + + @classmethod + def from_issuer_public_key(cls, public_key): + digest = _key_identifier_from_public_key(public_key) + return cls( + key_identifier=digest, + authority_cert_issuer=None, + authority_cert_serial_number=None + ) + + def __repr__(self): + return ( + "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, " + "authority_cert_issuer={0.authority_cert_issuer}, " + "authority_cert_serial_number={0.authority_cert_serial_number}" + ")>".format(self) + ) + + def __eq__(self, other): + if not isinstance(other, AuthorityKeyIdentifier): + return NotImplemented + + return ( + self.key_identifier == other.key_identifier and + self.authority_cert_issuer == other.authority_cert_issuer and + self.authority_cert_serial_number == + other.authority_cert_serial_number + ) + + def __ne__(self, other): + return not self == other + + key_identifier = utils.read_only_property("_key_identifier") + authority_cert_issuer = utils.read_only_property("_authority_cert_issuer") + authority_cert_serial_number = utils.read_only_property( + "_authority_cert_serial_number" + ) + + +@utils.register_interface(ExtensionType) +class SubjectKeyIdentifier(object): + oid = ExtensionOID.SUBJECT_KEY_IDENTIFIER + + def __init__(self, digest): + self._digest = digest + + @classmethod + def from_public_key(cls, public_key): + return cls(_key_identifier_from_public_key(public_key)) + + digest = utils.read_only_property("_digest") + + def __repr__(self): + return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest) + + def __eq__(self, other): + if not isinstance(other, SubjectKeyIdentifier): + return NotImplemented + + return ( + self.digest == other.digest + ) + + def __ne__(self, other): + return not self == other diff --git a/tests/test_x509.py b/tests/test_x509.py index 99ac69ee..42f8f58d 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -20,7 +20,7 @@ from cryptography.hazmat.backends.interfaces import ( ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa -from cryptography.x509.oid import NameOID +from cryptography.x509.oid import ExtensionOID, NameOID from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 @@ -586,7 +586,7 @@ class TestRSACertificateRequest(object): with pytest.raises(x509.DuplicateExtension) as exc: request.extensions - assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS def test_unsupported_critical_extension(self, backend): request = _load_cert( @@ -624,7 +624,7 @@ class TestRSACertificateRequest(object): assert isinstance(extensions, x509.Extensions) assert list(extensions) == [ x509.Extension( - x509.OID_BASIC_CONSTRAINTS, + ExtensionOID.BASIC_CONSTRAINTS, True, x509.BasicConstraints(ca=True, path_length=1), ), @@ -637,7 +637,7 @@ class TestRSACertificateRequest(object): backend, ) ext = request.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(ext.value) == [ x509.DNSName(u"cryptography.io"), @@ -821,12 +821,12 @@ class TestRSACertificateRequest(object): assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), @@ -1315,7 +1315,7 @@ class TestCertificateBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ) assert ext.critical is False assert ext.value == cdp @@ -1357,12 +1357,12 @@ class TestCertificateBuilder(object): assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), @@ -1406,12 +1406,12 @@ class TestCertificateBuilder(object): assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), @@ -1472,7 +1472,7 @@ class TestCertificateBuilder(object): ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_ISSUER_ALTERNATIVE_NAME + ExtensionOID.ISSUER_ALTERNATIVE_NAME ) assert ext.critical is False assert ext.value == x509.IssuerAlternativeName([ @@ -1510,7 +1510,7 @@ class TestCertificateBuilder(object): ).sign(issuer_private_key, hashes.SHA256(), backend) eku = cert.extensions.get_extension_for_oid( - x509.OID_EXTENDED_KEY_USAGE + ExtensionOID.EXTENDED_KEY_USAGE ) assert eku.critical is False assert eku.value == x509.ExtendedKeyUsage([ @@ -1545,7 +1545,7 @@ class TestCertificateBuilder(object): ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_INHIBIT_ANY_POLICY + ExtensionOID.INHIBIT_ANY_POLICY ) assert ext.value == x509.InhibitAnyPolicy(3) @@ -1585,7 +1585,7 @@ class TestCertificateBuilder(object): critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) - ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=True, @@ -1641,7 +1641,7 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), ] basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 @@ -1689,7 +1689,7 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ] basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None @@ -1719,7 +1719,7 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ] basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 @@ -1748,7 +1748,7 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ] basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 @@ -1811,7 +1811,7 @@ class TestCertificateSigningRequestBuilder(object): critical=False ).sign(private_key, hashes.SHA256(), backend) assert len(request.extensions) == 1 - ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=True, @@ -1847,7 +1847,7 @@ class TestCertificateSigningRequestBuilder(object): critical=False ).sign(private_key, hashes.SHA256(), backend) assert len(request.extensions) == 1 - ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=False, @@ -1877,12 +1877,12 @@ class TestCertificateSigningRequestBuilder(object): public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 ext = request.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(ext.value) == [x509.DNSName(u"cryptography.io")] @@ -1939,10 +1939,10 @@ class TestCertificateSigningRequestBuilder(object): assert len(csr.extensions) == 1 ext = csr.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert not ext.critical - assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME + assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME assert list(ext.value) == [ x509.DNSName(u"example.com"), x509.DNSName(u"*.example.com"), @@ -2018,7 +2018,7 @@ class TestCertificateSigningRequestBuilder(object): ).sign(private_key, hashes.SHA256(), backend) eku = request.extensions.get_extension_for_oid( - x509.OID_EXTENDED_KEY_USAGE + ExtensionOID.EXTENDED_KEY_USAGE ) assert eku.critical is False assert eku.value == x509.ExtendedKeyUsage([ @@ -2079,7 +2079,7 @@ class TestCertificateSigningRequestBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext.value == aia @@ -2115,7 +2115,7 @@ class TestCertificateSigningRequestBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) assert ext.value == ski @@ -2191,7 +2191,7 @@ class TestCertificateSigningRequestBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext.value == aki @@ -2221,7 +2221,7 @@ class TestCertificateSigningRequestBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_OCSP_NO_CHECK + ExtensionOID.OCSP_NO_CHECK ) assert isinstance(ext.value, x509.OCSPNoCheck) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index c94ffae1..faf9086a 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -17,7 +17,7 @@ from cryptography.hazmat.backends.interfaces import ( DSABackend, EllipticCurveBackend, RSABackend, X509Backend ) from cryptography.hazmat.primitives.asymmetric import ec -from cryptography.x509.oid import NameOID +from cryptography.x509.oid import ExtensionOID, NameOID from .hazmat.primitives.test_ec import _skip_curve_unsupported from .test_x509 import _load_cert @@ -32,11 +32,11 @@ class TestExtension(object): def test_critical_not_a_bool(self): bc = x509.BasicConstraints(ca=False, path_length=None) with pytest.raises(TypeError): - x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc) + x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc) def test_repr(self): bc = x509.BasicConstraints(ca=False, path_length=None) - ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc) + ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc) assert repr(ext) == ( "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst" "raints)>, critical=True, value=<BasicConstraints(ca=False, path" @@ -278,7 +278,7 @@ class TestCertificatePoliciesExtension(object): ) cp = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES + ExtensionOID.CERTIFICATE_POLICIES ).value assert cp == x509.CertificatePolicies([ @@ -298,7 +298,7 @@ class TestCertificatePoliciesExtension(object): ) cp = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES + ExtensionOID.CERTIFICATE_POLICIES ).value assert cp == x509.CertificatePolicies([ @@ -325,7 +325,7 @@ class TestCertificatePoliciesExtension(object): ) cp = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES + ExtensionOID.CERTIFICATE_POLICIES ).value assert cp == x509.CertificatePolicies([ @@ -345,7 +345,7 @@ class TestCertificatePoliciesExtension(object): ) cp = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES + ExtensionOID.CERTIFICATE_POLICIES ).value assert cp == x509.CertificatePolicies([ @@ -557,7 +557,7 @@ class TestSubjectKeyIdentifier(object): ski = x509.SubjectKeyIdentifier( binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") ) - ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski) + ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski) if six.PY3: assert repr(ext) == ( "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK" @@ -775,9 +775,9 @@ class TestExtensions(object): assert len(ext) == 0 assert list(ext) == [] with pytest.raises(x509.ExtensionNotFound) as exc: - ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) + ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) - assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS def test_one_extension(self, backend): cert = _load_cert( @@ -788,7 +788,7 @@ class TestExtensions(object): backend ) extensions = cert.extensions - ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) + ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) assert ext is not None assert ext.value.ca is False @@ -803,7 +803,7 @@ class TestExtensions(object): with pytest.raises(x509.DuplicateExtension) as exc: cert.extensions - assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS def test_unsupported_critical_extension(self, backend): cert = _load_cert( @@ -843,7 +843,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True @@ -857,7 +857,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True @@ -871,7 +871,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True @@ -885,7 +885,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True @@ -904,7 +904,9 @@ class TestBasicConstraintsExtension(object): backend ) with pytest.raises(x509.ExtensionNotFound): - cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) + cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) def test_basic_constraint_not_critical(self, backend): cert = _load_cert( @@ -915,7 +917,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is False @@ -932,7 +934,7 @@ class TestSubjectKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) ski = ext.value assert ext is not None @@ -951,7 +953,7 @@ class TestSubjectKeyIdentifierExtension(object): ) with pytest.raises(x509.ExtensionNotFound): cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) @pytest.mark.requires_backend_interface(interface=RSABackend) @@ -963,7 +965,7 @@ class TestSubjectKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) ski = x509.SubjectKeyIdentifier.from_public_key( cert.public_key() @@ -980,7 +982,7 @@ class TestSubjectKeyIdentifierExtension(object): ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) ski = x509.SubjectKeyIdentifier.from_public_key( cert.public_key() @@ -998,7 +1000,7 @@ class TestSubjectKeyIdentifierExtension(object): ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) ski = x509.SubjectKeyIdentifier.from_public_key( cert.public_key() @@ -1017,9 +1019,9 @@ class TestKeyUsageExtension(object): ) ext = cert.extensions with pytest.raises(x509.ExtensionNotFound) as exc: - ext.get_extension_for_oid(x509.OID_KEY_USAGE) + ext.get_extension_for_oid(ExtensionOID.KEY_USAGE) - assert exc.value.oid == x509.OID_KEY_USAGE + assert exc.value.oid == ExtensionOID.KEY_USAGE def test_all_purposes(self, backend): cert = _load_cert( @@ -1030,7 +1032,7 @@ class TestKeyUsageExtension(object): backend ) extensions = cert.extensions - ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext is not None ku = ext.value @@ -1052,7 +1054,7 @@ class TestKeyUsageExtension(object): x509.load_der_x509_certificate, backend ) - ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext is not None assert ext.critical is True @@ -1217,7 +1219,7 @@ class TestRegisteredID(object): def test_ne(self): gn = x509.RegisteredID(NameOID.COMMON_NAME) - gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS) + gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS) assert gn != gn2 assert gn != object() @@ -1425,7 +1427,7 @@ class TestRSAIssuerAlternativeNameExtension(object): backend, ) ext = cert.extensions.get_extension_for_oid( - x509.OID_ISSUER_ALTERNATIVE_NAME + ExtensionOID.ISSUER_ALTERNATIVE_NAME ) assert list(ext.value) == [ x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"), @@ -1498,7 +1500,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1515,7 +1517,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) dns = ext.value.get_values_for_type(x509.DNSName) @@ -1533,7 +1535,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) dns = ext.value.get_values_for_type(x509.DNSName) @@ -1559,7 +1561,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1577,7 +1579,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None uri = ext.value.get_values_for_type( @@ -1598,7 +1600,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1620,7 +1622,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1645,7 +1647,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1675,7 +1677,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None rfc822_name = ext.value.get_values_for_type(x509.RFC822Name) @@ -1694,7 +1696,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1745,7 +1747,7 @@ class TestRSASubjectAlternativeNameExtension(object): ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1771,7 +1773,7 @@ class TestExtendedKeyUsageExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_EXTENDED_KEY_USAGE + ExtensionOID.EXTENDED_KEY_USAGE ) assert ext is not None assert ext.critical is False @@ -1940,7 +1942,7 @@ class TestAuthorityInformationAccessExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext is not None assert ext.critical is False @@ -1963,7 +1965,7 @@ class TestAuthorityInformationAccessExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext is not None assert ext.critical is False @@ -1994,7 +1996,7 @@ class TestAuthorityInformationAccessExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext is not None assert ext.critical is False @@ -2013,7 +2015,7 @@ class TestAuthorityInformationAccessExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext is not None assert ext.critical is False @@ -2042,7 +2044,7 @@ class TestAuthorityKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext is not None assert ext.critical is False @@ -2062,7 +2064,7 @@ class TestAuthorityKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext is not None assert ext.critical is False @@ -2093,7 +2095,7 @@ class TestAuthorityKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext is not None assert ext.critical is False @@ -2125,7 +2127,7 @@ class TestAuthorityKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) aki = x509.AuthorityKeyIdentifier.from_issuer_public_key( issuer_cert.public_key() @@ -2242,7 +2244,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2264,7 +2266,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2282,7 +2284,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2301,7 +2303,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=None, @@ -2320,7 +2322,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2342,7 +2344,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2362,7 +2364,7 @@ class TestNameConstraintsExtension(object): ) with pytest.raises(ValueError): cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ) @@ -2671,7 +2673,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2721,7 +2723,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2760,7 +2762,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2797,7 +2799,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2830,7 +2832,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2854,7 +2856,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2885,7 +2887,7 @@ class TestOCSPNoCheckExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_OCSP_NO_CHECK + ExtensionOID.OCSP_NO_CHECK ) assert isinstance(ext.value, x509.OCSPNoCheck) @@ -2927,7 +2929,7 @@ class TestInhibitAnyPolicyExtension(object): backend ) iap = cert.extensions.get_extension_for_oid( - x509.OID_INHIBIT_ANY_POLICY + ExtensionOID.INHIBIT_ANY_POLICY ).value assert iap.skip_certs == 5 |